Pentester pops open Tesla Model 3 using low-cost Bluetooth module
Anything that uses proximity-based BLE is vulnerable, claim researchers
Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.
Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.
Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.
In a real-life scenario, a victim could be in a building just out of range of their Tesla while standing near a crook with a relay gadget on them. This gadget relays signals from the victim's phone to the Tesla outside via another miscreant with a gadget, who jumps in and steals the unlocked vehicle.
In its testing, NCC Group said it was able to perform a relay attack that opened a Tesla Model 3 in which the vehicle's paired device was located in a house approximately 25 metres from the vehicle. Using phone-side and vehicle-side relaying devices made from $50 Bluetooth development modules, the team said it managed to gain full access to the Tesla when the vehicle-side relay was brought within 3 metres.
While NCC only tested the attack on a Tesla Model 3, Sultan Khan, senior security researcher at NCC and the author of the advisory, said the technology used in the Tesla app is the same when connecting to a Model 3 or Y. Khan also theorized that Model 3 and Y key fobs were also likely affected, though those weren't tested either.
The advisory added:
As the latency added by this relay attack is within the bounds accepted by the Model 3 (and likely Model Y) passive entry system, it can be used to unlock and drive these vehicles while the authorized mobile device or key fob is out of range.
A problem of keys
Tesla hasn't had a good history when it comes to security researchers finding ways to unlock its cars. In 2014, a group of Chinese university students managed an on a attack Model S that allowed them to open doors, sound the horn and more while the vehicle was in motion, and a second Chinese group did much the same in 2016. That same year, the Tesla app was exploited to allow attackers to track, locate, unlock and start vehicles. Two years later, Belgian researchers managed to clone Tesla keyfobs, giving them full control of the affected vehicle.
A problem of Bluetooth
At the same time NCC Group released its Tesla BLE relay advisory, it published a second advisory authored by Khan. In that advisory, he explains how NCC's novel method to hijack a Tesla works against anything relying on BLE to confirm the presence of an authorized user.
In the advisory, Khan states that BLE proximity relay attacks have been known about for years. Fortunately for fans of the protocol, existing relay attacks introduce too much latency. "Products commonly attempt to prevent relay attacks by imposing strict Generic Attribute Protocols (GATT) response time limits and/or using link layer encryption," Khan said.
- Tesla sues former engineer, claims he stole Dojo supercomputer trade secrets
- Elon Musk flogs $8.4bn of Tesla shares amid Twitter offer drama
- Tesla employee: I was fired after sharing video of self-driving car crash
- 'Boombox' function sparks Tesla recall
The tool developed by NCC Group for its research operates at the link layer, which Khan said reduces latency down to acceptable GATT ranges. By doing so, it's able to circumvent latency bounding and link layer encryption, Khan said.
It's worth noting that the Bluetooth Core Specification makes no claims that BLE proximity signals are secure. In Proximity Profile specification updates from 2015, the Bluetooth Special Interest Group (SIG) stated "the Proximity Profile should not be used as the only protection of valuable assets," and additionally "there is currently no known way to protect against such attacks using Bluetooth technology."
Car owners should disable passive entry
Khan said that the Tesla Product Security team was notified in April of the flaw. Their response was that it was a known limitation of the passive entry system.
Tesla owners concerned about a relay attack should use the PIN to Drive feature in their Tesla, as well as disabling passive entry:
Controls > Settings > Doors & Locks > Passive Entry > OFF
Khan also said adding checks like having the app report the device's last known location and time-of-flight ranging could protect owners, but that's on Tesla to fix, and Khan told Bloomberg the automaker said it has no plans to do so.
Because this attack potentially affects so many devices used to secure so many things, it's a serious issue. Khan said that Bluetooth SIG was notified of the flaw and it told him "more accurate ranging mechanisms are under development."
We've asked the Bluetooth SIG to tell us more about those mechanisms and their availability, but have yet to hear back. ®